Today I came across another suspicious website. This one is advertising on Amazon and other locations:
The website advertised is “www.atlantic-electrics.com”.. upon further inspection the following are red flags:
- The domain has only been registered since 26th October 2017.. Not even two weeks old at the time of writing.
- The domain uses “bitcoin-dns hosting”.. bitcoin doesn’t, yet, have much legitimate use.. The person hosting this website is paying by an anonymous payment method.
- At the time of writing visitors are just being shown a proxied version of the co-op electrical website with one bit of injected code:
UPDATE 2017-11-14: This has now changed and is injecting..
Right now the above page is just serving a 0 byte file or rejecting the connection entirely.
I will come back to the trkajtools.com domain later, but for the moment let’s go back to atlantic-electrics.com.
The domain is registered with the following interesting information:
The email address “firstname.lastname@example.org”
The postcode “TS20 9GD”
The email address “email@example.com” (Associated with the bitcoin-dns account).
This e-mail address has been used to register two other suspicious domains of UK retailers…
“TS20 9GD” – a postcode in the UK format however this postcode does not exist!
An email address associated with many writeups about sites using the Angler exploit kit.
This e-mail address is also associated with trkajtools.com
The website www.atlantic-electrics.com is hosted at 220.127.116.11 (“18.104.22.168.vultr.com”) and does not seem to host anything else.
So.. going back to “trkajtools.com”
This domain was purchased on 17th October 2017 and little intelligence exists about it. The only thing on google was the urlquery report that I ran on the domain earlier in the day. The domain also uses the “bitcoin-dns.hosting”.
The website trkajtools.com is hosted at 22.214.171.124 (“126.96.36.199.vultr.com”) and also does not seem to host anything else.
A lot of malicious or suspicious websites I find have a clear motive.. ones targeting electronics retail are normally there to steal credit card details or just trick visitors into sending money with no intention of shipping goods.
The atlantic-electrics website is far more ambiguous. It seems like a lot of effort to just infect a few people with an exploit kit whilst serving a page from a genuine retailer.
Possibly they plan to infect people while they investigate available websites and then skim the payment details once they place an order on a genuine website?
Maybe what is currently in place is just temporary and the website flips to being much more malicious at certain times of day or days of the week?